[security-dev] How to configure ServiceProviderAuthenticator to do this ?
Pedro Igor Silva
psilva at redhat.com
Thu Oct 16 12:15:22 EDT 2014
But I think we had an issue to change this behavior and always sign AuthnRequest when signatures are enabled. Maybe you are supporting that because you're not considering latest changes.
----- Original Message -----
From: "Mike Cirioli" <mcirioli at redhat.com>
To: "Adam Dong" <adamdong at vidder.com>, "Pedro Igor Silva" <psilva at redhat.com>
Cc: security-dev at lists.jboss.org
Sent: Thursday, October 16, 2014 1:12:06 PM
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
Adam -
If i understand what you are asking correctly, that is exactly the
scenario we have for all the SP's available through our internal
PicketLink IdP. Authn requests are not signed, but all assertions are
being signed by the IdP and validated by the SP's.
-mike
On 10/16/2014 12:08 PM, Adam Dong wrote:
> I see, that is PicketLink's IDP behavior.
>
> The IDP (from another vender) that my picketlink SP is interaction with does NOT want signed AuthnRequest, but it will sign assertion in response.
>
> So my question is from my picketlink SP point of view: could it be configured to not sign AuthnRequest, but still be able to verify signature of assertion in response.
>
> Thanks,
> Adam
>
> -----Original Message-----
> From: Pedro Igor Silva [mailto:psilva at redhat.com]
> Sent: Thursday, October 16, 2014 9:02 AM
> To: Adam Dong
> Cc: security-dev at lists.jboss.org
> Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
>
> If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it will allow you to authenticate. However, once you submit your credentials the IdP will process the AuthnRequest (which was previously stored) and it will fail because it is not signed.
>
> So the SAML response/assertion will never be sent to the SP.
>
> ----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> Cc: security-dev at lists.jboss.org
> Sent: Thursday, October 16, 2014 12:54:13 PM
> Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
>
>
> To send AuthnRequest without signature (without signing), but can still verify the signature of assertion in the response ?
>
> Thanks,
> Adam
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list